earthenringfandomcom-20200214-history
Account Safety and Security
=Purpose and Introduction= Hi, this is Skunkwerks-type-personage, and herein I'm going to try to archive or "inter" if you will, a wealth of information regarding Keyloggers and other Account Security issues that I usually keep freshly updated in a thread in the Official Earthen Ring Realm Forums. I will in all likelihood continue to maintain the thread, but I would like to keep an archived copy here not only for reference of others, but also myself. It takes a good deal of effort to get a thread stickied, and the information changes so often that it needs to be "freshened" periodically (reorganized and such) to keep it convenient and readable. Here of course you also have advantage of the Wiki-Formatting's Table of Contents- which should make the article (a long read to be sure) easier to access for those looking for specific topics within it. In any case, I understand it's a bit "off-topic" but as this is the Earthen Ring Community, and I've been keeping this as a service to that community, I think you can see where this "fits". --SkunkWerks 05:24, 6 December 2008 (UTC) =Motivations= Why do Account Thieves do this? Well, as one poster on the forums once put it: "You will never see such industry in the art of account theft as you will in WoW." And when you think about how successful WoW has become as an MMO (it's an anomaly in the MMO genre- few MMOs break the six-digit subscriber mark, let alone do so hundreds of times over as WoW has), it becomes easier to understand why there is such "industry" in the account theft trade. To put this simply: there's a lot of money to be made. When an account is taken over, the thieves who take it are generally seeking to do two things: :1) Fleece the account for all it's worth- selling off all equipment and stored goods, or transferring them to other accounts quickly so that the more protracted process of auctioning valuables can be conducted- in an effort to make as much gold from the account as possible. :2) Further the trade of account theft- to which end these stolen accounts will be employed to post URLs leading to keyloggers, trojans, false "login" pages and whatever other deceptive tools the thieves may be using to facilitate account theft. In this sense, like a virus, it invades the "cell" (account) and reproduces more of itself by phishing for new marks who will in turn have their accounts stolen, and so the process begins anew. Show Me Tha Money! This leads to the question of where all that stolen gold and property goes- if this is a business, as I've suggested, someone must profit: who? To answer that question, we have to look at two sorts of WoW-related URLs- links you will see posted both on the forums and in-game. The first is the Keylogger URLs, and the second is Gold Sellers (or RMT- for Real Money Trade)- those who sell gold, "powerleveling" and other in-game "services" for real-world money. First let's take a peek at our shadowy antagonists in this tale- the Account Thieves. What do we know about them? Well, most of the Keylogger URLs can be traced quite easily by a widely available web-based service called "WhoIs" which any internet user can make use of freely. Such traces will easily reveal who registered a domain name (the central part of any URL) and where that person hails from. These traces nearly ALWAYS lead to a Chinese origin. Now let's look at Gold-Sellers. This is obviously an attractive offer to many players who feel they do not have the time for the "grind" that playing WoW can in many ways represent. You fork over a bit of cash and in return, get someone essentially to play the game for you- either by giving you goods or gold you never truly earned, or "powerleveling" your character- a term which basically means leveling a character very quickly. What do we know about gold sellers? Just as you can trace keylogger URLs via widely available services, you can do the same for Gold-Sellers. And in any case, it's not exactly a secret that most Gold-Selling outfits (and the "gold farmers" they purportedly employ) are also Chinese in origin. We also know that Gold Farming, as many "insider" articles will tell you is a very formidable task, and a highly time-consuming activity. The individuals "hired" (it's been oft demonstrated that many work for a pittance- which is not necessarily unique to the MMO RMT "industry" in China in any case) work long hours, and work like machines. The Devil is in the Details (a different view of your "Friendly Neighborhood Gold Seller") Aside from the Chinese origin, what other similarities could we find between these two parties? Well, neither business is "welcome" as far as Blizzard (WoW's parent company) is concerned. They operate in a shady area outside of Blizzard's Terms of Service- which is a legally-binding document that all who play WoW- be they players or gold-sellers- must agree to in order to play (be provided service). Blizzard has shown a history of actively prosecuting RMT companies wherever it can- most notably forcing an injunction against once-popular RMT company Peons4Hire on the grounds that it's incessant spam of global chat channels as well as whispers to players was creating an adverse experience for players and damaging Blizzard's business. And obviously Blizzard doesn't want Account Thieves running willy-nilly, making a lot of sad and inconvenienced players and ruining their business that way- so here's another group of individuals who operate in a very small margin- which basically consists of wherever they can worm their way into unnoticed or unchecked. Now here's the brain-buster: What if they're the same people? As I've already suggested, Gold-Farming is a time-consuming activity. It was once far more popular I think when Gold was harder to come by (prior to Burning Crusade and the advent of the "easy-money" Daily Quests) and still primarily depended on your ability to play the Auction House in selling materials and goods. Now however, what's the motivation? I suppose it's as easy to give Farmers accounts and let them do Dailies in the same easy fashion as players do to get gold- but you're still limited to 25 a day- and that run can be accomplished really in about two hours. And then of course you've got to pay someone (albeit very little in China) to do this. What if there were an easier way to get it? Maybe by say, stealing accounts and fleecing them of their gold? Then you can sell that gold to other players, and make a tidy little profit doing it for all it cost you: some (likely botted) posts on the official forums containing keyloggers URLs and a few pittance fees to register the bogus sites which don't have to be paid for for more than a month anyway. Heck, what's to stop you from just stealing that gold from other players? You could even steal it from the very "customers" you sell gold to by unwittingly infecting them with keyloggers at the point of purchase. They'll get their gold, you get their account information, and then at some later date, steal back what you sold them so you can sell the same gold to another trusting mark and be none the wiser. Better still, you can get them to pay for the privilege of being robbed blind! Get Out Your Tin Foil Hats Guys... Sound like wild conspiracy theory? Should we call Oliver Stone or maybe Michael Moore? Maybe. Or maybe not... Remember those widely available trace services for URLs? Well, it's not a well-known but easily uncovered fact that many of the URLs used by Account Thieves and those used by RMT companies share more than just a geographic similarity- they have on many occasions, shared the same registrants, or have at any rate been eerily similar enough in addresses to suggest that fairly frequently, those selling the gold and those stealing it are the same people. And to them this is the "victimless crime": the players who have their accounts stolen usually go straight to Account Admin and have most if not all of what they lost restored. So, your minor pain in the tuckus = their insane profit. This is food for thought if you happen to be one of those players who may have been lured into buying gold- not only are you supporting the people stealing others' accounts, but in a tragically karmic irony, you will most probably become the victim of it at some point in the future yourself. But in any case, the TL;DR version of this whole missive is: there's money to be made in account theft- the same take the RMT industry enjoys. That's where all that gold goes. =Modus Operandi= Now that we've covered the "why" of the matter, let's look at the "how" of it. Returning to the statement about the amount of "industry" seen in the theft of WoW accounts, it's safe to say that the how is a veritable cornucopia of tom-foolery, cheap tricks, and underhanded schemes. Almost too many to count, honestly. But what I can try to do is identify some of the common "tools" used in the trade and how they're generally employed. First, let's look at what tools keep for, well, tools. Tools of the Trade *'Phishing' - This is a specific sort of computer hacking strategy. As its trendy phonetic alteration of a more common English word (fishing) implies, Phishing suggests baiting a line and then waiting for bites from unwary fish. It is the strategy of least effort for the hacker, as it's basic premise involves tricking a user into giving you secure information. Ever seen that tip on the WoW loading screen that says "A Blizzard employee will NEVER ask you for your password"? E-mails asking you for such things (often obliquely: "please verify your account information") are attempts at Phishing. Part of the reason this approach to hacking evolved (apart from laziness) is that encryption for passwords these days is very difficult to crack. It's far easier to dupe someone into giving you that information than it is to force it from their computer. *'Trojans (Trojan Horses)' - This is a variety of viral code whose strategy is mostly dependent on subtlety. Whereas viruses of the past sought to do massive amounts of damage to computer systems, Trojans (like their mythologically-referenced name implies) are meant to pass into a system unnoticed and conduct their nefarious purposes in a similarly invisible fashion. Trojans can have a variety of purposes- most of which involve the unwitting puppeting of systems for nefarious purposes- but all share this "stealth" aspect in common. *'Keyloggers' - Probably the most common tool of these naughty men is the "keylogger". It's both a sub-variety of Trojan and part of a broader "hacking" strategy called Phishing. Keyloggers are little bits of invasive code that are designed to quietly and discreetly invade your computer without your knowledge. Once the Keylogger is in your computer, it lays dormant and silently keeps a log of everything you type. Presumably, sooner or later, you're going to enter some username/password information, and the log will record it. These logs are sent (just as discreetly) of course typically to the person who infected you and by a bit of reading, they glean secure information from them, then take your account or whatever else they can by way of them. *'Keylogger URLs' - A keylogger alone is just a piece of viral code. It needs a vector of transmission to reach your computer. URL stands for Universal Resource Locator, it's that odd string of text you may call a "website address" typically beginning with the prefix "http://". A Keylogger URL is a link leading to a bogus site which contains the bit of viral code that makes up the Keylogger as well as a bit of script (usually javascript) which clandestinely "injects" the keylogger into your machine without your knowledge. These bogus sites of course appear to be normal web pages, but behind the appearance is the purpose: to infect your machine. You need only visit one of these sites and you can contract the keylogger from it without ever knowing it happened. *'(Website) Script' - It should be noted that the same sorts of scripts that can be used to infect a computer with a Keylogger also find legitimate uses in Website design. Part of what this means is that most Web Browsers (Internet Explorer, and even Firefox) by default allow these scripts to run, regardless of the risk. The other part of what this implies is that in order to negate that risk, you must also negate the ability for legitimate websites to run script. There are certain approaches to safely browsing using scripts that involve "white-listing" sites that are deemed "safe" by the user and "black-listing" all other sites by default- allowing the user to choose what websites are allowed to run script through their browser- but any way you slice it, browsing safely means a certain degree of inconvenience for the user. *'Chinese Keylogger Zombies (Stolen Accounts)' - This is my own colloquial term for the posters making bogus posts with infected URLs in them. The "Keylogger" part seems pretty obvious, so let's look at the other two words. I call these posters "Zombies" because they are themselves, stolen accounts- accounts stolen by one or more of the same means I am discussing here. Think "Invasion of the Body Snatchers". These folk are sorta like the WoW version of Pod People- being puppeted by the thief who took the account. Now to the question of why they're Chinese. Well, if you look at the sites these Zombies spam, they sometimes have a ".cn" somewhere near the end of the URL string. This is the extension for sites that originate out of China. Early on, before they started getting smarter, this was an easy way to identify a URL that most likely contains a keylogger. *'Spoofing' - Another sub-stratagem of Phishing, this scheme involves faking the domain name or identity of a popular and usually widely trusted site such as YouTube, or IGN and attempting to use that "street cred" to gull people into a false sense of security. As with bogus login pages, these can be spotted for the counterfeits they are, but only to someone who knows what to look for, and more importantly, takes the time to look- such "spoofs" will nearly always be slightly... off in some way (a letter added or two letters transposed or replaced) since no two domain names can be perfectly identical. It only needs to look close enough to the original to do the trick. 'You1ube.com' might look close enough for someone who isn't paying much attention to begin with. *'Bogus Forum Posts' - There's such a variety of these that it's difficult to summarize, but the basic premise of a bogus forum post is getting you to think it's something else (most commonly pictures of naked women, free beta keys, pictures of a popular raid on Halaa, and so on) long enough for you to visit whatever URL it contains and become infected by a Keylogger without knowing it. If it seems "too good to be true" it probably is. *'Bogus E-mails' - If you're in the habit of passing out your e-mail address (in particular in WoW-related venues, such as the Official Forums), be aware that your Account Thief friends are watching. They will scan the forums for such bits of contact information and then you will start getting e-mails. Some claim your account is about to be closed, some claim to offer a free beta key to the latest expansion, but all will usually ask you to "verify your account information" via a login page they have most conveniently provided you in the e-mail. The login page is itself, bogus, and of course only transmits your user info to the thieves, but most of these pages are done up to look very convincing- using official Blizzard graphics and all of that- there are ways to see the counterfeit, but they're hard to spot for the untrained eye, and of course require a certain presence of mind to look for. *'Hacking/Compromising "Third-Party" WoW Websites' - While Blizzard's Official Site for WoW obviously "spared no expense" with regard to security, and is locked down pretty damn tight, there are a number of "third-party" sites dedicated to WoW which are run on a much smaller budget, and are thus easier to compromise and turn to less-than-charitable ends. Such sites include Knowledgebases (such as Thottbott and WoWHead), Addon Distribution Sites (such as Curse Gaming and IncGamers), and even Strategy Sites (like ElitistJerks or WorldOfRaids). Not all, but many of these sites I happen to know have had problems with this. They may have been hosting ads from an infected source (Thottbott was once infamous for hosting Gold-Seller Ads on it's site through GoogleAds), or hackers may have actually broken into the site and placed a viral code that was infecting one or more of the site's files (I've seen one or two Addon Sites fall victim to this- in particular with regard to their "automatic updating" programs). The moral of this story is that while these sites will often claim to scan for viruses themselves, don't count on them to be your only line of defense. *'Haste (Yours)' - this as easily could be termed as something I like to call "compulsive clicking syndrome". It's the tendency for people to click a link or follow a URL without any thought as to what it might be or who may have put it there. This can be caused as much by lack of knowledge of the risks as it can just by plain compulsive behavior. "Ooh! A link! ~click-click!~" People often say a lot of Keylogger posts are childishly simple in how obvious they are, but the fact of the matter is they really don't need to be subtle to work. It certainly helps, but you'll still get a lot of bites without it. *'Panic (Yours)' - Some of the best tools for perpetrating account theft aren't highly technical or even especially sneaky. Get a person jittery enough and they'll start doing all sorts of things that they normally would not. This goes even for especially intelligent or wary people. You drop your guard for a moment, and they have you. A fine example of this is that yours truly (author of this near-paranoid missive about avoiding account theft) was gulled when he got an e-mail stating his WoW account was about to be closed under suspicion of gold selling. I panicked, and next thing you know I was entering account information into a bogus login page without even thinking. *'Excitement (Yours)' - Just as panic alters perception and behavior, so too does excitement. Have you noticed lately that with the Wrath of the Lich King Expansion the amount of Keylogger posting activity and bogus e-mails has been on a sharp rise? This isn't a coincidence. And it's a common conceit among people on the forums and elsewhere that only stupid people fall for scams and Keyloggers. This is perhaps half-true: excited people are often "dumber" than they might be otherwise, and easier prey for simple tricks and schemes- but they may be quite intelligent given other circumstances. Anatomy of an Account Theft Now let's take a peek at the toolbox in action and see how it all comes together. #'Bait the Hook' - A forum post is made, a bogus e-mail is sent, gold or powerleveling is offered for money... whatever the method, something is done to trick the user into giving up his account info. #'Reel in the Phish' - Keys have been logged, or account information has been "verified". At this point the information is captured and has been sent to the necessary people. As the user is probably still unaware they they've been hooked in the first place, there's usually plenty of time to glean from logs and then take control of the account at some later time. #'Loot n' Plunder' - With the account safely in the wrong hands it's time to start stripping it down in much the same way a chop-shop team strips down a car for parts. Bound gear is sold off (in ages past, when there was no level cap on Disenchanting, this was often the choice made for bound gear), along with anything else that has only vendor value. It's my assumption that any material or gear stored in banks or guild banks is then mailed off to other accounts the thieves have in their possession that have more leeway to accomplish the more protracted and drawn-out process of auctioning off those materials for the highest cost possible. #'Spread the Joy (Optional)' - Since you've got the account for a while longer, now it's time to make sure you use it to the fullest effect. So you take that to the Official Forums and start making many many posts with Keylogger URLs in them. It's my guess that this part of the process is botted in some way. #'Abandon Ship' - At some point, once Account Admin's been contacted and is on the case, you'll be forced off the account, or maybe you'll just abandon it yourself- as it takes some time for Account Admin to verify what's going on and put a stop to things, and by then you've probably long since done all you wanted to do. #'Damage Control' - The user's account is more than likely restored through Account Admin, with most if not all possessions and gold put back to their rightful owner. I somehow seriously doubt that the gold or equipment is recovered insomuch as duplicates are given to the stricken player. After all is said and done, it is an ephemeral annoyance, and the user is probably none the wiser for their journey, being unaware of where the point of infection occurred in the first place (assuming they didn't perhaps will it on themselves by using an RMT or powerleveling "service"), and similarly unaware of how to prevent a recurrence. The Forums (and the Dangers that Lie Therein) As I'm sure some of you will know, even if you don't participate in it directly or often, the WoW official forums are vast with many people posting all sorts of topics, some of them about the game, and probably as many, if not more, not about the game, or loosely related to it. URL Links have been passed around those forums since their inception, and for the most part, many of those things linked are innocent enough. But because of the amount of money and business involved in WoW, and because of the obvious visibility of the Official Forums, less scrupulous individuals seek to use the forums as their own tool for perpetrating Account Theft against it's denizens. Bogus Posts The primary method of utilizing the Offical (and other WoW-related) Forums for the spreading of keyloggers is the Bogus Post. As touched on above, the basic premise in making a bogus post is to get the average forumgoer to think the post is about something else long enough for them to be fooled into visiting the URL(s) it contains. There are many different strategies employed in making bogus postings designed to fool forumgoers, and new sorts are developed all the time, but as with most things account thieves do, not much cleverness is actually required to get the tactic to pay off- it costs almost nothing in time and effort to make such posts, and if even a handful of people follow a given link and become infected, you've multiplied your returns considerably. A good analog to explain this concept is the phenomenon of spam e-mail. It costs next to nothing for a spammer to send thousands of e-mails to people, so if even five people out of a thousand respond to a given spamming, you've already more than paid for the effort. These spam e-mails don't have to be clever- the sheer amount of spamming one can do for one's "dime" makes that unnecessary. The same is also true of these bogus posts. A Short History of Links on the Official Forums Despite some accusations that Blizzard has "done nothing" to stem the tide of account theft and malicious posting on the forums, there can be observed a slow and deliberate trend towards safety measures that Blizzard has implemented on the Official Forums intended to blunt the spread of keyloggers through them. each change has been fairly small, and easily overlooked or disregarded, but has actually had a rather profound effect on the way links are posted and followed on the official forums. First, let's give you a short explanation of URLs (also known as 'Hyperlinks', and often simply 'Links')... Anatomy and Function of a URL The URL or Hyperlink is a subtle and often overlooked part of the greater structure we think of as the World Wide Web. Nonetheless it is essential to the framework of the Web- which is said to be "object-oriented". Hyperlinks are what allow you to move quickly from topic to topic in a given page by clicking on words, pictures or other objects that lead you to other pages presumably relating to those words or objects. If we were to dissect a URL, it essentially contains two things: #A location- pointing to another web page that can be on the same server (computer) as the page bearing the link or can link out to any location on the World Wide Web- these location strings are typically "hidden" in HTML code (the markup language that powers the World Wide Web) "behind" a word, picture or other object. #A bit of text, picture or other object that serves as a placeholder for the whole text of the link. This Text, Picture or Object is clicked on to command the web browser to move to the location hidden in the HTML code behind the link. Here's an Example Link to demonstrate the concept of linking... it's about goats. The text you see in blue (and when it's followed, in purple) is the "placeholder" ("it's about goats") while the link hidden behind the placeholder in the code is in fact "http://en.wikipedia.org/wiki/Goat". In the above example the placeholder text and where the link actually leads you are pretty straightforward- which is to say you expect to see something about goats, and after clicking it, you do. This is a concept which, as stated above, forms the very nature of the object-oriented approach the World Wide Web takes: click on the word "goat" and you'll be taken to a page about goats. But what if you're a less-than-charitable coder? You could use that "hidden" aspect to link to nearly ANYTHING you wanted, couldn't you? Well, sad to say there are a number of nasty individuals out there that will take advantage of the Wolrd Wide Web to do just that. So What Has Blizzard Ever Done for Us? In regards to Linking on the forums and what it can or can't hide- a lot, actually. But it's very subtle, and easily missed. Initially on the forums, it was "anything goes". You could hide links not only behind text, but behind images, whatever. The "BBC" (Bulletin Board Code) commonly used to code forum postings (which is very similar in form and function to HTML code) allowed you to do anything in a forum post that you could accomplish in the HTML code of a webpage. Obviously this left a lot of room for naughty people to slip about and do naughty, tricksy things with code. Eventually the ability to link images in the forums was removed (I'm sure as much for the reason that people were displaying violent or pornographic images via Blizzard's forums as anything else) as was the ability to create standard URL links where the location a link led to was hidden behind some other text or image. At that point you could still simply paste a link into the text of a post and the coding would make it a hyperlink to that location, but you could no longer "hide" the location string itself in coding. As it was realized that links to malicious things were still running rampant, Blizzard then thought to put in a redirect page to links posted on their forums that first took a user to another page before providing them access to the linked location. This page took the form of a warning, stating that the page you might be visiting could be malicious in nature (and naturally that Blizzard couldn't be held responsible for any harm you or your computer suffered as a result of visiting it). Some months later, apparently feeling that this wasn't stemming the tide enough, Blizzard finally removed the ability to create hyperlinks in forum posts altogether. At the present time you can still post the location URL of a page in text in a forum post, but the forum code will not make that string into an actual clickable link. You can of course still follow location strings posted in forum posts by highlighting the text, then copying and pasting it into the location bar of your Internet Browser. But the heyday of clickable linking in posts on the Official Forums is months gone. Some bits of text (primarily those contained in User Signatures authored before this change) still contain clickable URLs and seem to be "grandfathered" as it were, but it's no longer possible to create these from scratch. It's interesting to note at this point that the Account Thieves upped the aggressiveness of their attacks on the Official Forums at that point, spamming them more incessantly with more malicious links and more insidious ways of hiding them by confusing you as to the nature of the posts they were contained in. As an offhand note, not too long after hyperlinking was excised completely from the Official Forums, a lot of Keylogger posts being made curiously had their URL links underlined- which is a common HTML formatting for hyperlinks. Obviously this was not for function certainly as the function was just no longer possible within the confines of the Official Forums, but appears to have been intended to make links at least appear more like links- for reasons I can't possibly fathom... Types of Bogus Posts As stated, there are many varieties of Bogus Postings used to gull forumgoers into infecting themselves with keyloggers. Some are more clever than others, but in the end all share the same basic purpose- to fool people into visiting malicious links. Some of the different sub-strategies of fooling people are listed below. A given post may utilize more than one of these strategies to reel in catches, as well. *'The Single-Thread Variety' - this one is probably still the most common form that a Keylogger post takes and the simplest. The Zombie Account selects a forum and posts a single thread claiming to be any number of things, from naked pictures to screenshots of a successful Halaa raid or even guild recruitment posts (complete with bogus links to the "guildsite"), and so on. These threads normally have any number of fairly recognizable titles- as the Zombies repeat them quite often. Here's a brief of some of the typical thread titles that have been observed in use with Single-Thread keylogger posts. *'The (Multiple) Thread-Response Variety' - A bit more insidious and subtle than the Single-Thread Variety, this one is simply to respond to a forum post (typically MANY posts) with some sort of general response that, not too coincidentally, contains a URL which leads to a Keylogger. Response posts like this will usually be preceded by short text "blurbs" meant to mask the malicious nature of the post, things like "Here's what you need", or "this is what you're looking for", and so on. This one was employed fairly broadly on the high-traffick forums like General and Suggestions and they've broadened the strategy to include some of the "outlying forums" like the Realm Forums, for instance. Another common aspect of these sorts of postings is that they tend to be made by a single poster who then "floods" a given portion of the Official Forums (like a Realm forum, for instance) with roughly twenty responses to already-existing posts in that forum. Thsi often happens so fast that the reporting service used to report malicious posts is overloaded with calls to have them removed and becomes inaccessible for a short period of time. Like the Single-Thread Variety, the bits of text used to mask their nature are usually one of a set of commonly used blurbs- here's a list of some of those thus-far observed. *'Copypasta' - This strategy can be mixed in with other forms of forum "chicanery" in order to enhance the confounding value in Bogus Posts. It started, I believe, as a means to mask what would otherwise be one of the more obvious earmarks of the individuals making these posts- the language barrier. As stated earlier in this missive, the people making these posts are primarily Chinese in origin, and have little (if any) skill with the English language. When they attempt to author posts themselves, the results are usually uniquely hilarious examples of "lost-in-translation". They look odd and tend to put the warier onlookers wise to their bogus nature. So, instead of authoring a post themselves, the Zombie making the post copies another legitimate post already on the forums (usually a popular one with a high amount of thread-views) and inserts into that post in appropriate areas URLs leading to keyloggers. Usually the sorts of posts they pick on are posts that originally contained URLs of some sort, like screenshot posts, video posts and the like- so not only do you gain a coherent-sounding framework for your bogus URLs, you also gain a convenient "cover story" for the posting of them. *'Forum Bumps and "Plants"' - Also interchangeable with other underhanded means is this little (if rarely seen) gem of a strategy. Sometimes another Zombie Account will (either inadvertently or deliberately) "bump" another keylogger post back to the top of the forum. They may even attempt to dispute warnings placed in response to those posts by other users that they are in fact keyloggers. I've not seen this happen myself but I've heard it from other people that it does. For the most part, lacking the skill in conversational English to make posts in the first place, I don't think this is a common tactic, but it may be employed I think to some degree of success in the larger, higher traffick areas of the official forums (such as General Discussion or Suggestions). *'Trojan Signatures' - This is a strategy I actually haven't seen in a long time. It probably fell out of use about the same time clickable URLs in the forums were disabled entirely by Blizzard. A Zombie Account wouldn't post the keyloggers in the text of it's posts, but would instead leave them "innocuously" in the Signatures that were tacked onto their posts. I'm guessing the advantage to this approach is that it tended to go largely unnoticed by forum users, and thus not reported, sadly the disadvantage was the same- fewer people bother with links in forum signatures than they do with signatures contained in actual posts. Again, I haven't seen this happen in a very long time. but as will all fads and fashions, they hardly ever die out completely, they just get recycled. =Appendices= Herein are contained a number of informational archives on the subject of Keylogger posts. Much of this has been gathered by observations and patterns seen while browsing the forums. It is kept both for posterity and for reference and will be updated as new information becomes available. Appendix A: Typical WhoIs Profile for a Bogus URL Domain Name.......... Creation Date........ 2008-09-07 12:40:07 Registration Date.... 2008-09-07 12:40:07 Expiry Date.......... 2009-09-07 12:40:07 Organisation Name.... Star Co.Ltd Organisation Address. Star Street Organisation Address. Organisation Address. GuangZhou Organisation Address. 100000 Organisation Address. XJ Organisation Address. CN Admin Name........... Zhang ShanShan Admin Address........ Star Street Admin Address........ Admin Address........ GuangZhou Admin Address........ 100000 Admin Address........ HK Admin Address........ CN Admin Email.......... fg@gmail.com Admin Phone.......... +86.102322111 Admin Fax............ +86.102322111 Tech Name............ taian liao Tech Address......... nn Tech Address......... Tech Address......... Nanning Tech Address......... 510031 Tech Address......... GX Tech Address......... CN Tech Email........... agent10782@agent.dns.com.cn Tech Phone........... +86.7714922224 Tech Fax............. +86.7714916049 Bill Name............ taian liao Bill Address......... nn Bill Address......... Bill Address......... Nanning Bill Address......... 510031 Bill Address......... GX Bill Address......... CN Bill Email........... agent10782@agent.dns.com.cn Bill Phone........... +86.7714922224 Bill Fax............. +86.7714916049 Name Server.......... ns2.dns.com.cn Name Server.......... ns1.dns.com.cn Note: all the bolded CN's and other indications of Chinese origin. Also know that the Domain name (which is removed from the above text) contained no outwardly obvious evidence of Chinese origin- it was a regular .net or .com, but it's WhoIs rather obviously shows where it came from. Appendix B: Commonly-Used Single Thread Titles for Bogus Posts This is a historic list of Titles used for Single-Thread bogus posts containing Keyloggers. They do change from tiem to time, but are often used and reused. Each Title has a parenthetical notation of it's probable "style" either "lost-in-translation" or "copypasta". It can be safely assumed that any post on the official forums bearing any of these titles is about 99.9% positively a Keylogger post. I will continue to add to this list as more titles come into use. *''"Most fun with Kazzak since Reck Bomb (video)"'' (Copypasta) *''"Huge Alliance Raid on Halaa (w/pics)"'' (Copypasta) *''"The real AP IRL picture thread!"'' (Copypasta) *''"hello, I am the ret"'' (Copypasta) *''"Sex girl"'' (Lost in Translation) *''"do any of you show your naked wife pics to ot"'' (Lost in Translation) *''"Some of my teacher's naked pics"'' (Lost in Translation) *''"my sex teacher"'' (Lost in Translation) *''"Hey Kalgan, we're fine"'' (Copypasta) *''"FREE BETA KEY"'' (Copypasta) *''"Naked Woman Caught By Satellite"'' (Lost in Translation) *''"After school lezzies"'' (Copypasta, sadly) *'*NEW*' "i am a sexy model." (Copypasta) *'*NEW*' "We Are Not Much Into WoW" (Copypasta) *'*NEW*' "Kylie Minogue - Wow (Original Edit)" (Copypasta) *'*NEW*' "World of Warcraft Girl Rants: Alliance" (Copypasta) *'*NEW*' "Drunken Dwarf Milita Recruiting for WotLK" (Copypasta- mimicking a Guild Recruitment post) A "lost in translation" post usually results when our Keylogging friends attempt to author a post themselves. Being primarily Chinese, and having almost no skill with English, these posts generally look fairly odd to the onlooker. Such hilarious grammatical oddities as the "Sex Leg" and "Sex Girl" type posts have some about from these attempts. In the mentioned cases, they apparently don't understand that the word "sex", when used as an adjective should end in a Y- i.e.: "Sexy". Sadly the average literacy and communications standard on the WoW forums is not especially high in the first place, so these red flags tend to go unmarked. A "copypasta" post is one strategy the Account Thieves have employed to get around "the language barrier" in order to look more legit and gull more people. The approach is simple: find a popular legitimate post already on the forums (one with a high view count) and copy it, then insert URLs to Keyloggers at appropriate points in the text of it. Posts chosen for this re-purposing are generally the sort of posts which would contain links to things like pictures or guildsites. So not only do you get around the language barrier, but you also get a free "cover story" for your keylogger URLs. Appendix C: Common "Blurbs" used to Mask Bogus Post-Responses Just as Single Thread Keylogger posts share a fairly common set of titles, so too do the typically-vague "blurbs" of text used to mask the malefic nature of Keyloggers posted in response to already-existing threads. This is a short list I've compiled that I will add to as I see more of them. If a URL is seen preceded by one of these, it's a good chance it's a keylogger. *''"this is what you're looking for"'' *''"Here's what you need"'' *''"This is a joke, right?"'' *''"That's a good idea"'' *''"just beautiful!"'' *'*NEW*' "It's too good to be true!" (my personal favorite) *'*NEW*' "Can't do that!" *'*NEW*' "Oh yeah." *'*NEW*' "really?" *'*NEW*' "It's cool!#!"